Agencies might need to rethink telework security
A rash of breaches that some fear could be tied to VPN connections is raising concerns about the security of federal telework programs.
In light of recent breaches at the U.S. Postal Service, White House and State Department, agencies might need to take a closer look at the security of the virtual private networks (VPNs) their employees use while teleworking.
Although the breaches remain under investigation and no official culprit has been named, the hack at USPS prompted the agency to suspend its telework program.
According to USPS spokeswoman Sue Brennan, telework remained suspended as of Nov. 21, more than a week after the breach was announced, and upgrades and changes to the system are still in progress.
“Shutting down the USPS VPN should only be considered a treatment for a symptom of the problem, and my guess is [it] will only be a temporary move,” wrote Mark Seward, vice president of marketing at security analytics company Exabeam, in a blog post. “Addressing the larger problem requires adopting a mindset that the attacker is already inside.”
USPS officials announced the breach on Nov. 10 and said they believed it compromised some customer data, including names, addresses, telephone numbers and email addresses. It also exposed sensitive employee data, including Social Security numbers, email addresses and hiring information.
Officials have not concluded that a VPN was responsible for the breach, but if that turns out to be the case, major changes could be in store for the hundreds of thousands of federal employees who telework.
“We must plan and make our systems more secure to enable telework,” Office of Personnel Management CIO Donna Seymour said. “Yes, there are very good ways that make remote access more secure, and we employ those capabilities in many areas. As our networks become more secure and our remote access features become more secure, our adversaries also become smarter, and the reality is, these breaches are becoming more frequent. The goal is to detect quickly, react quickly and limit the potential damage.”
The Defense Information Systems Agency is one of those agencies that have an aggressive approach to securing its sensitive information for teleworkers. DISA developed special centers from which employees who handle sensitive information can telework. And, by all accounts, DISA has been generous in sharing best practices about running such centers with other agencies.
Most agencies devise their own telework and remote-access security policies, but they are expected to follow guidance from the National Institute of Standards and Technology, OPM and the Office of Management and Budget, all of which stress that teleworkers must remain vigilant.
“By focusing on specific manager security responsibilities and reinforcing the roles and responsibilities of participating teleworkers, agencies can ensure that the workforce is educated, aware and in compliance with the latest policies to safeguard information in a mobile environment,” an OPM spokesperson said.
According to the USPS Information Security Network Connectivity Process handbook, employees who telecommute must have the latest pattern-recognition antivirus software and a USPS-approved firewall on their remote computers.
“It’s not normal for a USPS employee to try and connect to certain databases, connect from a strange device, or connect from Uruguay,” Seward said. “Agencies have to keep a sharp eye on those types of user behaviors.”
Some agency VPNs require only a username and password for access while others require multifactor authentication, such as a Common Access Card or other smart card, RSA SecurID, eToken or biometric fingerprint sensor.
"Two-factor authentication is now widely available. It's a commercial best practice," Ron Ross, leader of NIST's Federal Information Security Management Act Implementation Project, told FCW. So many breaches start with compromised credentials, so when an agency implements two-factor authentication, "that can close down a whole bunch of attack vectors."
As far back as 2006, OMB issued a memo recommending that remote access be allowed only with two-factor authentication, with one of the factors provided by a device separate from the computer.
“This option, as well as others, is important to couple with effective training and program management to ensure telework is more secure overall,” the OPM spokesperson said.